Hi Hrvoje,

I'm also Cc: this message to Debian BTS (#740846) to keep track of this issue 
in case we need this
info in the future.

Thanks a lot.

Regards,


On 03/05/2014 09:14 PM, Hrvoje Matijakovic wrote:
> On Wed, Mar 05, 2014 at 08:43:51PM +0100, Dario Minnucci wrote:
>>
>> Hi Hrvoje,
>>
>> I'm in the way of closing CVE-2014-2029 in the Debian package and everything 
>> seems OK on version
>> 2.2.7 (soon will be uploaded to 'unstable' and 'testing|jessie', thanks), 
>> but my question is about
>> version 2.1.2 (currentrly in 'stable|wheezzy')
>>
>>
>> Here it goes...
>>
>>
>> By checking Percona Toolkit's Changelog file in 
>> 'percona-toolkit_2.2.7.tar.gz' I've found this:
>>
>>
>>
>> v2.1.4 released 2012-09-20
>>
>>   * ...
>>   * Implemented the version-check feature in several tools, enabled with the 
>> --version-check option
>>   * ...
>>
>>
>>
>> Can you please confirm if the CVE-2014-2029 was introduced in version 
>> '2.1.4' or is really present
>> in version in previous versions (as '2.1.2').
>>
>> If my assumptions are correct and CVE-2014-2029 was introduced in version 
>> '2.1.4', this means that
>> version '2.1.2' (currently in 'stable|wheezy') is *NOT* vulnerable to this 
>> CVE and I'll be able to
>> notify this to the Debian Security Team in order to update the Debian 
>> Security Tracker[0].
>>
>>
>> Thanks in advance.
>>
>> Regards,
>>
>>
>>
>> [0] 
>> https://security-tracker.debian.org/tracker/source-package/percona-toolkit
> 
> Hi Dario,
> 
> I've checked with our lead PT developer he confirmed that VersionCheck
> was introduced in 2.1.4. LP milestone says that as well:
> https://launchpad.net/percona-toolkit/2.1/2.1.4
> 
> Let me know if you need anything else regarding this,
> 
> Thanks,
> Hrvoje
> 


-- 
 Dario Minnucci <mid...@debian.org>
 Phone: +34 902884117 | Fax: +34 902024417 | Support: +34 807450000
 Key fingerprint = BAA1 7AAF B21D 6567 D457  D67D A82F BB83 F3D5 7033


Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to